Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

WOW, you're a hero! you did it, you persuaded them to do it!!!! And they listened. See, I still think they're a good bunch.
You're on ZASS 6, right?
Did you get the upgrade to the dlls or where? did it come within the automatic upgrade? or is there a version change?
Do you know whether the same fix applies to v5.5.094?
If you previously had it red X has it changed to ASK?
If you previously had it ASK, how do we know there's been a change.
When it ASKS, whom do we allow to RunDLL - examples? This is always the hardest part to figure out for me.

Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

This has been merely an update to the program control rules on ZA's servers, nothing to do with the installed program. The way to test it is to change one of the programs' SmartDefense setting from Custom back to Auto. Then run the program - the permissions will then change to whatever ZA's database thinks they should be.

I reckon 5.5 essentially uses the same database, but just ignores the OSFirewall (Trust Level) setting. To test it in 5.5, you have to remove the program from the list (right-click on it and choose remove), because once you change the permissions the policy becomes "Custom" and there is no way to change it in 5.5

As I said, it's the internet server permission they've stopped automatically granting, which is good. Some things like Word, Excel now have a red X in both server columns. Rundll32 now has green tick in Trusted server and blue ? in internet server. I have not yet received a program alert for rundll32 to say that it wants to be an internet server.

&quot;Question: If you're connected directly to the internet (not behind a router or NAT modem) have you tried using GRC's Shields UP! test or another port scan test while these programs were running and granted Internet Server rights? Were you still stealthed?&quot;

Well, I got around to doing your 'homework assignment,' about 8 days ago. I prepared a Test Report, before performing the ShieldsUP! testing, and also recorded my results, but I'm not going to post that report here. I wrote it to keep me focused on what I was doing, to remind me why I was doing it, and to help me understand the results I got.

I don't know about anyone else, but making written notes helps me think better. On the other hand, I swear... sometimes I think I've got ADD, OCD, OTD and a bunch of other Ds, after I see how many notes I end up making!

After finishing that 1st round of testing and considering the results, I noticed of a few other variations I could have tried, but didn't get a chance to do that until a couple of days ago.

In summary, about as pithy as I can make it:

* Connected to the Internet with my NAT router installed-

The &quot;Server:Internet&quot; rights settings the Firefox browser has appears to be irrelevant. Firefox browser [Note 1] may have either &quot;Allow,&quot; &quot;Block,&quot; or &quot;Ask&quot; rights and the ShieldsUP! probes [Note 2] results still report that my system is fully stealthed.

There was an exception to those result, for either &quot;Allow,&quot; &quot;Block,&quot; or &quot;Ask&quot; Server rights. When I open another Firefox browser instance (aka; a new browser tab) addressed to http://4.79.142.206 (the GRC the ShieldsUP! probe IP) the results of all probes was still &quot;Stealth,&quot; on all probed ports (including port 113), but the overall test &quot;Failed&quot; because of this single item... &quot;Unsolicited Packets: RECEIVED (FAILED)...&quot;

* Connected to the Internet with my NAT router removed-

Again, the &quot;Server:Internet&quot; rights settings the Firefox browser has appears to be irrelevant. Firefox browser [Note 1] may have either &quot;Allow,&quot; &quot;Block,&quot; or &quot;Ask&quot; rights and the ShieldsUP! probes [Note 2] results still report that my system is fully stealthed.

A similar exception as noted in the &quot;router installed&quot; results also applied to these result. For either &quot;Allow,&quot; &quot;Block,&quot; or &quot;Ask&quot; Server rights, when I open another Firefox browser instance addressed to the ShieldsUP! probe IP my system is &quot;Stealth&quot; except at one port. The probe of port 113 reported a &quot;Closed&quot; condition. Because of that result and the &quot;Unsolicited Packets: RECEIVED...&quot; the overall test result was &quot;Failed.&quot;

For an explanation of the failures noted above, please refer to Steve Gibson's &quot;Adaptive IDENT Stealthing Experimentation&quot; info. which can be found at the bottom of his web page, after performing the &quot;All Service Ports&quot; probe.

My conclusions-

Granting the Firefox browser &quot;Server:Internet&quot; right to &quot;Allow&quot; an incoming connections doesn't seem to be as dangerous as I've thought. If I understand the results of this testing and the information provided by Steve Gibson, there seems to be little possibility that I would even see an unsolicited incoming Server request. In other words, any incomming Server request I may see must be coming from a Web site with which Firefox browser has already established connection.

&quot;...when you surf the web you need to connect to web servers that might have any IP address. (...brevity snip...) ...a firewall can easily determine whether an arriving packet is initiating a new connection, or continuing an existing conversation. Packets arriving as part of an established connection would be allowed to pass through the firewall, but packets representing new connection attempts would be discarded. Thus, a firewall can permit the establishment of outbound connections while blocking any new connection attempts from the outside.&quot;

In my case, the incoming Server connection issue seems to have been reduced to merely and issue of trust... Do I trust the Web site Firefox browser is connected with? So far the question is moot, because as far as I know I've never encountered such an event. The only Firefox browser Server connection requests I've seen were incoming from the &quot;Trusted&quot; zone.

However, allowing Firefox browser to possibly establish an outgoing &quot;Server:Internet&quot; connection is another matter. This still seems dangerous, to me.

The issue becomes, &quot;Am I knowingly running a program which may use Firefox browser to establish an outgoing &quot;Server:Internet&quot; connection, to an IP address with which Firefox browser does not currently have an established connection?&quot;

In my case, I'm not running any of those types of programs. Furthermore, I want to be immediately notified about any Firefox browser outgoing Server connection events.

A few days ago, I had an opportunity to discuss this issue with my brother. He uses the CA eTrust EZ Armor suite. He offered what I think is a pretty good suggestion and I promised to pass it on.

He suggested that Zone Labs should implement an ZoneAlarm firewall installation process 'interview' which asks the user if he/she is using, or plans to use, any of the known types of programs which require an Internet browser to act as a Server.

So, Jarvis, or anyone, feel free to correct me (or, applify... or, comment) if I seem to have this issue figured wrong, or all twisted out of shape, or whatever.

Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

I've wondered, for the longest time, why there isn't any SmartDefense Advisor advice given for Corel WordPerfect Office. Surely there are thousands of people using various versions of that office suite.

Last night I finished making notes, on the custom Program Control: Programs settings I've chosen over the last week or so. So, in the interesting of helping you confirm the changes to SmartDefense Advisor (SDA) automatic permission settings I decided to change all my listed programs Custom settings back to Auto.

Following are the results of that change in SDA settings, for the programs you asked about or were mentioned in my 1st posting of this thread:

No... I didn't type all of that. A lot of it is simple cut'n'paste and more of it would be if the ZAP Control Center was a bit more user friendly. But, that's another subject, for another day.

Personally, I won't be using Auto SDA settings for some of the programs named above, because I prefer having more control over what those programs may be doing.

I'll give one example of what I mean by that, for the Firefox browser (Note 1) SDA Auto setting of TrustLevel:Super.

I've installed and frequently use the Firefox Extension named IE View (Note 2) which adds on a feature permitting quick opening of Internet Explorer (IE), to the Web page currently being viewed in Firefox.

With the trust setting stated above, Firefox performs the extension's commands without a ZAP alert about suspicious program activity. The IE program starts and loads the same Web page I was viewing in Firefox.

However, with a setting of TrustLevel:Trusted that same action results in a ZAP alert about Suspicious Behavior. I receive the warning, Firefox is trying to launch C:\Program Files\Internet\Explorer\iexplorer.exe, or use another program to gain access to privileged resources.

The first part of that warning tells me that IE View is performing an action I initiated. I want to allow that to happen.

It's the or part of that warning which concerns me. When Firefox is granted TrustLevel:Super status I'm never going to see a warning. If someone somehow figures a way, to get Firefox to perform program action which I didn't personally initiate, it's just going to happen.

Note that on that Web page SDA offers this bit of advice, Firefox is potentially malicious.

In your first post you wrote, It seems that the settings the SmartDefense gives out are to suit not only the majority but also some fringe users who don't want to be bothered by extra alerts.

Yeah, I agree it seems that way, Jarvis. If that's truly the case IMHO it doesn't really strike me as a good security policy. Zone Labs ain't never gonna please everybody... no how... no way!

IMO a good security policy would combine conservative initial SmartDefense Advisor (SDA) Auto settings plus 'Learning Mode' for the tricky permissions. Of course, that's the way it is to some extent, but SDA sets up some known programs with very non-conservative appearing permissions which short circuit 'Learning Mode' all together.

For example, I've run the MS Notepad (notepad.exe) program for ages, with question marks across the board. I don't recall ever seeing a peep from ZAP, about Notepad wanting permission to do anything. Now, with the Auto settings for Notepad I see an Ask for TrustLevel and big red Xs across the board! That doesn't strike me as very conservative.

Notepad just doesn't seem like a program that's capable of performing even remotely risky actions. The most advanced feature I see in Notepad's user interface is the Edit:Time/Date function which gets the current time and date from the system and pastes it into the document.

Well, may be that's another topic, for another day. That's me... blah blah blah!

Thank you, Jarvis, for contacting your source(s) and getting some good results, on the Server:Internet issue. I've learned quite a bit from studying the info. you provided and expect that'll be continued in the future.